On June 24, cybersecurity firm Kaspersky said that the malware, called SparkKitty, has been active since at least early 2024 and may be related to a similar malicious program called SparkCat. The cybersecurity firm noted in a report this Monday that SparkKitty specializes in stealing photos from infected devices in order to find screenshots of the seed phrase of crypto wallets. According to Kaspersky analysts Sergey Puzan and Dmitry Kalinin, the malware targets both iOS and Android platforms and is spread by sneaking into some apps on the Apple App Store and Google Play. Once the device is infected, the malicious program indiscriminately steals all the images in the album. "While we suspect that the attacker's primary target is a screenshot of the seed phrase of the crypto wallet, the stolen images may also contain other sensitive data." The two applications discovered by Kaspersky to spread the malware are linked to cryptocurrencies. One of them, called "coin", disguised as an encrypted message tracker, was once available on the App Store. Another app, SOEX, is a messaging app with a "cryptocurrency trading feature" that has been downloaded more than 10,000 times on Google Play. "The app has been downloaded more than 10,000 times since it was uploaded to Google Play. We've notified Google that the app has been removed from the store at this time," Puzan and Kalinin said. A Google spokesperson later confirmed that the app had been removed and the developer account had been banned. "Google Play Protect is turned on by default and automatically prevents the app from running, regardless of whether the user downloads it through Google Play or not," Google said. In addition, Kaspersky has found that SparkKitty is also being spread through gambling apps, games, and malicious TikTok clones.
The content is for reference only, not a solicitation or offer. No investment, tax, or legal advice provided. See Disclaimer for more risks disclosure.
Kaspersky discloses a new type of virus specifically targeting encryption users' mnemonic phrase screenshots.
On June 24, cybersecurity firm Kaspersky said that the malware, called SparkKitty, has been active since at least early 2024 and may be related to a similar malicious program called SparkCat. The cybersecurity firm noted in a report this Monday that SparkKitty specializes in stealing photos from infected devices in order to find screenshots of the seed phrase of crypto wallets. According to Kaspersky analysts Sergey Puzan and Dmitry Kalinin, the malware targets both iOS and Android platforms and is spread by sneaking into some apps on the Apple App Store and Google Play. Once the device is infected, the malicious program indiscriminately steals all the images in the album. "While we suspect that the attacker's primary target is a screenshot of the seed phrase of the crypto wallet, the stolen images may also contain other sensitive data." The two applications discovered by Kaspersky to spread the malware are linked to cryptocurrencies. One of them, called "coin", disguised as an encrypted message tracker, was once available on the App Store. Another app, SOEX, is a messaging app with a "cryptocurrency trading feature" that has been downloaded more than 10,000 times on Google Play. "The app has been downloaded more than 10,000 times since it was uploaded to Google Play. We've notified Google that the app has been removed from the store at this time," Puzan and Kalinin said. A Google spokesperson later confirmed that the app had been removed and the developer account had been banned. "Google Play Protect is turned on by default and automatically prevents the app from running, regardless of whether the user downloads it through Google Play or not," Google said. In addition, Kaspersky has found that SparkKitty is also being spread through gambling apps, games, and malicious TikTok clones.